HANDLING PACKETS TRAVELLING TOWARDS LOGICAL SERVICE ROUTERS (SRs) FOR ACTIVE-ACTIVE STATEFUL SERVICE INSERTION

ABSTRACT

Example methods and computer systems for packet handling for active-active stateful service insertion are disclosed. One example may involve a computer system detecting a packet addressed from a source address to a service endpoint address. Based on configuration information associated with the service endpoint address, the computer system may identify a first active logical service router (SR) and a second active logical SR that are both associated with the service endpoint address and configured to operate in an active-active mode. The first active logical SR may be selected over the second active logical SR by mapping tuple information to the first active logical SR. The computer system may generate an encapsulated packet by encapsulating the packet with an outer header addressed to an outer destination address associated with the first active logical SR and send the encapsulated packet towards the first active logical SR for processing according to a stateful service.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application (Attorney Docket No. F941.01) claims the benefitof Patent Cooperation Treaty (PCT) Application No. PCT/CN2020/103170,filed Jul. 21, 2020. The present application is also related to U.S.patent application Ser. No. ______ (Attorney Docket No. F941.02). ThePCT application and the U.S. patent application are herein incorporatedby reference in their entirety.

BACKGROUND

Virtualization allows the abstraction and pooling of hardware resourcesto support virtual machines in a Software-Defined Networking (SDN)environment, such as a Software-Defined Data Center (SDDC). For example,through server virtualization, virtual machines (VMs) running differentoperating systems may be supported by the same physical machine (e.g.,referred to as a “host”). Each VM is generally provisioned with virtualresources to run an operating system and applications. Further, throughSDN, benefits similar to server virtualization may be derived fornetworking services. For example, logical overlay networks may beprovisioned, changed, stored, deleted and restored programmaticallywithout having to reconfigure the underlying physical hardwarearchitecture.

In practice, logical routers may be deployed in the SDN environment toprovide stateful service(s) to various VMs, such as domain name system(DNS) forwarding, load balancing, network address translation, etc.Conventionally, an active-standby mode is generally implemented using afirst logical router operating in an active mode and a second logicalrouter in a standby mode. When there is a failure at the first logicalrouter, the second logical router may switch from the standby mode tothe active mode. In some cases, users (e.g., network administrators) mayprefer to operate the logical routers in an active-active mode over theactive-standby mode to improve performance. However, the active-activemode might be challenging to implement.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram illustrating an example software-definednetworking (SDN) environment in which packet handling for active-activestateful service insertion may be performed;

FIG. 2 is a schematic diagram illustrating an example physical view ofhosts SDN environment in FIG. 1;

FIG. 3 is a flowchart of a first example process for a computer systemto perform packet handling for active-active stateful service insertion;

FIG. 4 is a flowchart of a second example process for a computer systemto perform packet handling for active-active stateful service insertion;

FIG. 5 is a schematic diagram illustrating an example configuration tofacilitate active-active stateful service insertion;

FIG. 6 is a flowchart of an example detailed process for packet handlingfor active-active stateful service insertion;

FIG. 7 is a schematic diagram illustrating a first example packethandling for active-active stateful service insertion;

FIG. 8 is a schematic diagram illustrating a second example packethandling for active-active stateful service insertion;

FIG. 9 is a schematic diagram illustrating a third example packethandling for active-active stateful service insertion; and

FIG. 10 is a schematic diagram illustrating example flow types for whichactive-active stateful service insertion may be performed.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof. In the drawings,similar symbols typically identify similar components, unless contextdictates otherwise. The illustrative embodiments described in thedetailed description, drawings, and claims are not meant to be limiting.Other embodiments may be utilized, and other changes may be made,without departing from the spirit or scope of the subject matterpresented here. It will be readily understood that the aspects of thepresent disclosure, as generally described herein, and illustrated inthe drawings, can be arranged, substituted, combined, and designed in awide variety of different configurations, all of which are explicitlycontemplated herein.

Challenges relating to service insertion will now be explained usingFIG. 1 and FIG. 2. In particular, FIG. 1 is a schematic diagramillustrating example software-defined networking (SDN) environment 100in which packet handling for active-active stateful service insertionmay be performed. FIG. 2 is a schematic diagram illustrating examplephysical view 200 of hosts in SDN environment 100 in FIG. 1. It shouldbe understood that, depending on the desired implementation, SDNenvironment 100 may include additional and/or alternative componentsthan that shown in FIG. 1 and FIG. 2. In practice, SDN environment 100may include any number of hosts (also known as “computer systems,”“computing devices”, “host computers”, “host devices”, “physicalservers”, “server systems”, “transport nodes,” etc.). Each host may besupporting any number of virtual machines (e.g., tens or hundreds).

In the example in FIG. 1, SDN environment 100 may include multipletransport nodes, such as hosts 210A-B that are connected with both EDGE1110 and EDGE2 120. Referring also to FIG. 2, each host 210A/210B mayinclude suitable hardware 212A/212B and virtualization software (e.g.,hypervisor-A 214A, hypervisor-B 214B) to support virtual machines (VMs).For example, host-A 210A may support VM1 131 and VM2 132, while VM3 133and VM4 134 are supported by host-B 210B. Hardware 212A/212B includessuitable physical components, such as central processing unit(s)(CPU(s)) or processor(s) 220A/220B; memory 222A/222B; physical networkinterface controllers (PNICs) 224A/224B; and storage disk(s) 226A/226B,etc.

Hypervisor 214A/214B maintains a mapping between underlying hardware212A/212B and virtual resources allocated to respective VMs. Virtualresources are allocated to respective VMs 131-134 to support a guestoperating system (OS; not shown for simplicity) and application(s); see241-244, 251-254. For example, the virtual resources may include virtualCPU, guest physical memory, virtual disk, virtual network interfacecontroller (VNIC), etc. Hardware resources may be emulated using virtualmachine monitors (VMMs). For example in FIG. 2, VNICs 261-264 arevirtual network adapters for VMs 131-134, respectively, and are emulatedby corresponding VMMs (not shown) instantiated by their respectivehypervisor at respective host-A 210A and host-B 210B. The VMMs may beconsidered as part of respective VMs, or alternatively, separated fromthe VMs. Although one-to-one relationships are shown, one VM may beassociated with multiple VNICs (each VNIC having its own networkaddress).

Although examples of the present disclosure refer to VMs, it should beunderstood that a “virtual machine” running on a host is merely oneexample of a “virtualized computing instance” or “workload.” Avirtualized computing instance may represent an addressable data computenode (DCN) or isolated user space instance. In practice, any suitabletechnology may be used to provide isolated user space instances, notjust hardware virtualization. Other virtualized computing instances mayinclude containers (e.g., running within a VM or on top of a hostoperating system without the need for a hypervisor or separate operatingsystem or implemented as an operating system level virtualization),virtual private servers, client computers, etc. Such containertechnology is available from, among others, Docker, Inc. The VMs mayalso be complete computational environments, containing virtualequivalents of the hardware and software components of a physicalcomputing system.

The term “hypervisor” may refer generally to a software layer orcomponent that supports the execution of multiple virtualized computinginstances, including system-level software in guest VMs that supportsnamespace containers such as Docker, etc. Hypervisors 214A-B may eachimplement any suitable virtualization technology, such as VMware ESX® orESXi™ (available from VMware, Inc.), Kernel-based Virtual Machine (KVM),etc. The term “packet” may refer generally to a group of bits that canbe transported together, and may be in another form, such as “frame,”“message,” “segment,” etc. The term “traffic” or “flow” may refergenerally to multiple packets. The term “layer-2” may refer generally toa link layer or media access control (MAC) layer; “layer-3” to a networkor Internet Protocol (IP) layer; and “layer-4” to a transport layer(e.g., using Transmission Control Protocol (TCP), User Datagram Protocol(UDP), etc.), in the Open System Interconnection (OSI) model, althoughthe concepts described herein may be used with other networking models.

SDN controller 280 and SDN manager 284 are example network managemententities in SDN environment 100. One example of an SDN controller is theNSX controller component of VMware NSX® (available from VMware, Inc.)that operates on a central control plane. SDN controller 280 may be amember of a controller cluster (not shown for simplicity) that isconfigurable using management plane module 286 on SDN manager 284.Network management entity 280/284 may be implemented using physicalmachine(s), VM(s), or both. To send or receive control information, alocal control plane (LCP) agent (not shown) on host 210A/210B mayinteract with central control plane (CCP) module 282 at SDN controller280 via control-plane channel 201/202.

Through virtualization of networking services in SDN environment 100,logical networks (also referred to as overlay networks or logicaloverlay networks) may be provisioned, changed, stored, deleted andrestored programmatically without having to reconfigure the underlyingphysical hardware architecture. Hypervisor 214A/214B implements virtualswitch 215A/215B and logical distributed router (DR) instance 217A/217Bto handle egress packets from, and ingress packets to, correspondingVMs. In SDN environment 100, logical switches and logical DRs may beimplemented in a distributed manner and can span multiple hosts.

For example, logical switch (LS) 101/102 in FIG. 1 may be deployed toprovide logical layer-2 connectivity (i.e., an overlay network) to VM131/133. Logical switch 101/102 may be implemented collectively byvirtual switches 215A-B and represented internally using forwardingtables 216A-B at respective virtual switches 215A-B. Forwarding tables216A-B may each include entries that collectively implement therespective logical switches. Further, logical DRs that provide logicallayer-3 connectivity may be implemented collectively by DR instances217A-B and represented internally using routing tables 218A-B atrespective DR instances 217A-B. Routing tables 218A-B may each includeentries that collectively implement the respective logical DRs (to bediscussed further below).

Packets may be received from, or sent to, each VM via an associatedlogical port. For example, logical switch ports 265-268 (labeled “LSP1”to “LSP4” in FIG. 2) are associated with respective VMs 131-134. Here,the term “logical port” or “logical switch port” may refer generally toa port on a logical switch to which a virtualized computing instance isconnected. A “logical switch” may refer generally to a software-definednetworking (SDN) construct that is collectively implemented by virtualswitches 215A-B in FIG. 2, whereas a “virtual switch” may refergenerally to a software switch or software implementation of a physicalswitch. In practice, there is usually a one-to-one mapping between alogical port on a logical switch and a virtual port on virtual switch215A/215B. However, the mapping may change in some scenarios, such aswhen the logical port is mapped to a different virtual port on adifferent virtual switch after migration of the correspondingvirtualized computing instance (e.g., when the source host anddestination host do not have a distributed virtual switch spanningthem).

A logical overlay network may be formed using any suitable tunnelingprotocol, such as Virtual eXtensible Local Area Network (VXLAN),Stateless Transport Tunneling (STT), Generic Network VirtualizationEncapsulation (GENEVE), etc. For example, VXLAN is a layer-2 overlayscheme on a layer-3 network that uses tunnel encapsulation to extendlayer-2 segments across multiple hosts which may reside on differentlayer 2 physical networks. Hosts 210A-B may also maintain data-planeconnectivity with each other via physical network 205 to facilitatecommunication among VMs 131-134. Hypervisor 214A/214B may implementvirtual tunnel endpoint (VTEP) 219A/219B to encapsulate and decapsulatepackets with an outer header (also known as a tunnel header) identifyingthe relevant logical overlay network (e.g., VNI). For example in FIG. 1,hypervisor-A 214A implements first VTEP-A 219A associated with (IPaddress=IP-A, VTEP label=VTEP-A). Hypervisor-B 214B implements secondVTEP-B 219B with (IP-B, VTEP-B). Encapsulated packets may be sent via anend-to-end, bi-directional communication path (known as a tunnel)between a pair of VTEPs over physical network 105.

Multi-Tier Topology

Referring to FIG. 1 again, a multi-tier logical network topology may beimplemented in SDN environment 100 to provide isolation for multipletenants. The multi-tiered topology enables both provider (e.g., datacenter owner) and multiple tenants (e.g., data center tenants) tocontrol their own services and policies. For example, a two-tiertopology may include (1) an upper tier-0 (T0) associated with a providerand (2) a lower tier-1 (T1) associated with a tenant. In this case, alogical DR may be categorized as T1-DR (see 150-152) or T0-DR (see160-162). Similarly, a logical SR may be categorized as T1-SR (see 130,140) or T0-SR (see 170).

On the lower tier, a T1 logical router (DR or SR) connects VM 131/133implemented by host 210A/210B to a T0 logical router. On the upper tier,a T0 logical router (DR or SR) connects a T1 logical router to anexternal server (see 180). In practice, a T0-DR (see 160-162) that isconnected to T0-SR 170 via a router link switch (not shown) is alsoknown as a router link DR. A T1-DR (see 150-152) that is connected to aT1-SR (see 130-140) via a backplane switch (not shown) is known as abackplane DR.

As used herein, the term “logical DR” may refer generally to adistributed routing component spanning, and implemented collectively by,multiple transport nodes. The term “logical SR” may refer generally to acentralized routing component that provides centralized statefulservices, such as domain name system (DNS) forwarding, load balancing,IP address assignment using dynamic host configuration protocol (DHCP),source network address translation (SNAT), destination NAT (DNAT), deeppacket inspection, etc. EDGE 110/120 may be implemented using VM(s)and/or a physical machine (i.e., “bare metal machine”), and capable ofperforming functionalities of a switch, router, bridge, gateway, edgeappliance, or any combination thereof.

In practice, a pair of peer service instances may be deployed in SDNenvironment 100 to provide stateful service(s) to various endpoints,including VM1 131 on host-A 210A and VM3 133 on host-B 210B. Forexample, T1-SR1 130 is a first logical SR supported by EDGE1 110 andT1-SR2 140 is a second logical SR supported by EDGE2 120.Conventionally, an active-standby mode is generally implemented whereT1-SR1 130, for example, operates in an active mode while T1-SR2 140operates in a standby mode. In this case, north-south traffic betweenVM1 131 and external server 180 may be forwarded via active T1-SR1 130for stateful service insertion. Further, east-west traffic between VM1131 and VM3 133 may also be forwarded via active T1-SR1 130. When thereis a failure at T1-SR1 130, a failover may be performed to switch T1-SR2140 on EDGE2 120 from standby to active mode, thereby improvingresilience towards failure.

Unlike the active-standby mode, an active-active mode may involveoperating all T1-SR1 130 and T1-SR2 140 in an active mode. Using theactive-active mode, traffic may be distributed to one of multiple T1-SRs(e.g., 130-140) to improve throughput performance, resiliency towardsfailure and scalability. In practice, however, there are variousimplementation challenges associated with the active-active mode. Forexample in FIG. 1, host-A 210A may select between first active T1-SR1130 and second active T1-SR2 140 to send a service request (see “P1”)towards external server 180. Similarly, T0 logical routers (e.g., T0-SR170, T0-DR 162) may select between T1-SR1 130 and T1-SR2 140 to send arelated service response (see “P2”) towards host-A 210B. If the requestis one packet (e.g., request) is processed using one T1-SR1 130according to a stateful service but a related packet (e.g., response)using another T1-SR2 140, the stateful service might be disrupted oraffected.

Active-Active Stateful Service Insertion

According to examples of the present disclosure, packet handling may beimproved to facilitate active-active stateful service insertion in SDNenvironment 100. Throughout the present disclosure, the term“active-active stateful service insertion” may refer generally to a pairof logical routers (e.g., T1-SR1 130 and T1-SR2 140) configured toprovide stateful service(s) while operating in an active-active mode.The term “stateful service” may refer generally to a service in whichprocessing of a packet belonging to a flow may depend on the processingof a previous packet in the same flow. Examples of the presentdisclosure may be implemented to maintain consistency in the selectionof T1-SR 130/140 for packets belonging to a particular flow and havingrelated tuple information.

Examples of the present disclosure may be performed by any suitable“computer system” capable of receiving and sending packets to multipleactive logical SRs (e.g., T1-SR1 130 and T1-SR2 140) capable ofproviding stateful service(s). One example computer system is host210A/210B supporting T1-DR 150/151 to which T1-SR1 130 and T1-SR2 140are connected. Another example computer system is an EDGE supportingT0-SR 170 and T0-DR 162. Although the terms “first” and “second” areused to describe various elements, these elements should not be limitedby these terms. These terms are used to distinguish one element fromanother. For example, a first element may be referred to as a secondelement, and vice versa. The term “first active logical SR” (or “secondactive logical SR”) may be used to refer to T1-SR1 130 or T1-SR2 140.

Using examples of the present disclosure, the same active T1-SR1 130 maybe selected to process any subsequent packet belonging to the same flowand having the same (or related) tuple information. By maintainingaffinity with a particular T1-SR 130/140, session stickiness (also knownas session persistence or session consistency) may be implemented forstateful services at EDGE 110/120. For example, when using a stickysession, T1-SRs 130-140 do not have to exchange session information,which is usually a costly process especially when there is a hightraffic volume. This should be contrasted against conventionalapproaches that lack consistency (see 198 in FIG. 1) and possiblydisrupt stateful service insertion by T1-SR 130/140, such as byselecting T1-SR1 130 for one packet but different T1-SR2 140 for anotherpacket associated with the same flow or session.

In the following, FIG. 3 will be used to explain handling of packetsthat are inbound towards. FIG. 4 will be used to explain handling ofpackets that are outbound from T1-SR 130/140. Note that the term“inbound” refers generally to a direction of a packet traveling towardsT1-SR 130/140, the packet being an incoming or ingress packet from theperspective of T1-SR 130/140. The term “outbound” refers generally to adirection of a packet traveling away from T1-SR 130/140, the packetbeing an outgoing or egress packet from the perspective of T1-SR130/140.

(a) Handling Inbound Packets Towards T1-SR

FIG. 3 is a flowchart of example process 300 for a computer system toperform packet handling for active-active stateful service insertion.Example process 300 may include one or more operations, functions, oractions illustrated by one or more blocks, such as 310 to 350. Dependingon the desired implementation, various blocks may be combined into fewerblocks, divided into additional blocks, and/or eliminated. Using theexample in FIG. 1, example process 300 will be explained using acomputer system in the form of host-A 210A supporting T1-DR 150.

At 310 in FIG. 3, host-A 210A (e.g., T1-DR 150) may detect a packet (see191 in FIG. 1) that is addressed from a source address (e.g.,192.168.1.1) associated with VM1 131 to a service endpoint address(e.g., 1.1.1.1). In the example in FIG. 1, T1-SR1 130 and T1-SR2 140both implement a service endpoint (e.g., DNS forwarder) associated withthe same service endpoint address (e.g., 1.1.1.1).

At 320 in FIG. 3, based on configuration information (see 192 in FIG. 1)associated with the service endpoint address, host-A 210A may identifyT1-SR1 130 and T1-SR2 140 that are configured to operate in anactive-active mode. In other words, host-A 210A may forward the packettowards T1-SR1 130 or T1-SR2 140 for processing according to a statefulservice.

At 330 in FIG. 3, host-A 210A may select T1-SR1 130 over T1-SR2 140,such as by mapping tuple information specified by the packet to T1-SR1130. Depending on the desired implementation, the tuple information mayinclude at least the source address (e.g., 192.168.1.1) and the serviceendpoint address (e.g., 1.1.1.1). Other tuple information may includeservice protocol (e.g., TCP), source port number, destination portnumber, etc. The mapping process at block 330 may involve applying ahash function on the tuple information. This way, any subsequent packetspecifying the same tuple information may be mapped to the same T1-SR1130, thereby maintaining T1-SR affinity and session stickiness. Thisshould be contrasted against conventional approaches that lackconsistency and session stickiness, such as using a round robin policyto distribute traffic between T1-SR1 130 and T1-SR2 140 for loadbalancing purposes.

At 340-350 in FIG. 3, host-A 210A may generate and send an encapsulatedpacket (see 193 in FIG. 1) towards T1-SR1 130 for processing accordingto a stateful service. The encapsulated packet may be generated byencapsulating the packet with an outer header (O) that is addressed toan outer destination address (e.g., IP-VTEP1) associated with T1-SR1 130supported by EDGE1 130.

As will be described further using FIGS. 5-10, the configurationinformation at block 320 may be received from management entity 280/284and stored in a hash table (also known as a service endpoint inboundflow-consistent hash table) for flow sharding purposes. For example, theconfiguration information (see 192 in FIG. 1) may associate the serviceendpoint address with a VTEP group=(VTEP1, VTEP2) supported byrespective EDGE1 110 and EDGE2 120. In this case, the encapsulatedpacket (see 193 in FIG. 1) at blocks 340-350 may be addressed to outerdestination address=IP-VTEP1 associated with T1-SR1 130.

(b) Handling Packets from T1-SR

FIG. 4 is a flowchart of example process 400 for a computer system toperform packet handling for active-active stateful service insertion.Example process 400 may include one or more operations, functions, oractions illustrated by one or more blocks, such as 410 to 460. Dependingon the desired implementation, various blocks may be combined into fewerblocks, divided into additional blocks, and/or eliminated. Using theexample in FIG. 1, example process 400 will be explained using acomputer system in the form of an EDGE supporting T0-DR 162.

At 410-430 in FIG. 4, in response to detecting a first packet (see “P1”194 in FIG. 1) from T1-SR1 130, EDGE supporting T0-DR 162 may generateand store state information (see 195 in FIG. 1) before sending the firstpacket towards a destination (e.g., external server 180). For example inFIG. 1, state information 195 may associate (a) T1-SR1 130 supported byEDGE1 130 and reachable via VTEP1 with (b) first tuple informationspecified by the first packet. Any suitable first tuple information maybe stored, such as service protocol (e.g., TCP), source IP address(e.g., 99.99.99.99), source port number (e.g., 6487), destination IPaddress (e.g., 8.8.8.8) and destination port number (e.g., 53). Stateinformation 195 may be stored in a connection table (also known as aservice endpoint outbound flow connection table) for session orconnection tracking purposes.

At 440-460 in FIG. 4, in response to detecting a second packet (see “P2”196 in FIG. 1) from destination=external server 180 responsive to thefirst packet, EDGE supporting T0-DR 162 may select T1-SR1 130 and sendthe second packet towards T1-SR1 130 for processing according to astateful service (e.g., DNS forwarding). T1-SR1 130 may be selected overT1-SR2 140 based on the state information at block 420 and second tupleinformation specified by the second packet, thereby maintaining affinitywith T1-SR1 130 and session consistency. Since the second packet is aresponse to the first packet, first tuple information and second tupleinformation are “related” in that the source address/port number in thefirst packet is the destination address/port number in the secondpacket, and vice versa.

As will be described further using FIGS. 5-10, the state information atblock 420 may be generated and stored dynamically based on real-timedatapath traffic. Depending on the desired implementation, block 420 maybe performed in response to identifying a service flag indicatingstateful service connection. The service flag may be set by T1-SR1 130from which the first packet is received. Block 460 may involve EDGEsupporting T0-DR 162 generating an encapsulated packet (see 197 inFIG. 1) by encapsulating the second packet with an outer header that isaddressed to outer destination address=IP-VTEP1 associated with T1-SR1130.

Examples of the present disclosure may be implemented to improvescalability. For example, although explained using T1-SR1 130 and T1-SR2140 for simplicity and conciseness, it should be understood that morethan two T1-SRs may be deployed in SDN environment 100. In general,multiple (M) T1-SRs may be deployed where each active logical T1-SRj issupported by a corresponding edge (EDGEj) using j=1, . . . , M and M>2.In this case, the term “active-active” may refer generally to a scenariowhere there are M>2 active T1-SRs capable of performing stateful serviceinsertion according to examples of the present disclosure.

Service Endpoint Configuration

According to examples of the present disclosure, a service endpointassociated with the same service endpoint address may be configured onmultiple logical T1-SRs. Some examples will be described using FIG. 5,which is a schematic diagram illustrating example service endpointconfiguration 500 for active-active stateful service insertion. Variousexamples will be explained below using the following notations:PRO=service protocol, SIP=source IP address, SPN=source port number,DIP=destination IP address, DPN=destination port number, OUTER_SIP=outersource IP address in an outer header, OUTER_DIP=outer destination IPaddress, etc.

At 510-511 in FIG. 5, management entity 180/184 may configure T1-SR1 130and T1-SR2 140 to implement instances of a service endpoint. In a firstexample, service endpoint=DNS forwarder (see “DNS” in FIG. 5) may beconfigured to relay DNS packets between hosts 210A-B and external DNSserver 180 (see FIG. 1). From the perspective of hosts 210A-B, the DNSforwarder may use (service endpoint IP address=11.11.11.11, portnumber=53) as listen address for VMs (e.g., VM1 131). As will bediscussed further using FIG. 6, the DNS forwarder may use a different IPaddress=99.99.99.99 to interact with an upstream DNS server 180associated with IP address=8.8.8.8 and port number=53. See alsocorresponding FIG. 7.

In a second example, T1-SR1 130 and T1-SR2 140 may implement serviceendpoint=load balancer (see “LB” in FIG. 5) to distribute servicerequests from clients (e.g., VM1 131 or external server) to backendservers (e.g., VM3 133). The load balancer may be associated withservice endpoint IP address=1.1.1.1 and port number=80 to communicatewith clients and/or backend servers. Any suitable load balancing modemay be implemented, such as non-transparent (see FIG. 8) where the IPaddress associated with source=client is hidden from the backend server,inline transparent (see FIG. 9) where the source IP address is nothidden, etc. For service management purposes, a service endpoint addressmay be allocated from a pool of IP addresses.

Once a service is replicated on different T1-SRs 130-140, respectiveEDGE1 110 and EDGE2 120 may report their VTEP information to managemententity 280/284 for aggregation. After aggregation, at 520-521 and 530 inFIG. 5, management entity 280/284 may push configuration informationassociated with the service to various transport nodes, such as host210A/210B supporting T1-DR 150/151, EDGE supporting T0-DR 162, etc. Theconfiguration information may specify service endpoint information(e.g., service protocol, service endpoint address, port number) and VTEPinformation associated with T1-SR1 130 and T1-SR2 140. The configurationinformation may be stored in any suitable data structure, such as a hashtable, etc.

At 540 in FIG. 5, to facilitate stateful DNS forwarding at T1-SRs130-140, a hash table accessible by T1-DR 150/151 may be updated toinclude the following configuration information: (PRO=TCP,DIP=11.11.11.11, DPN=53, GRP=(VTEP1, VTEP2)). This way, a packetrequiring the stateful DNS forwarding service may be mapped or hashed toeither T1-SR1 130 or T1-SR2 140, such as by applying a hash function ontuple information specified by the packet. See 550 in FIG. 5 and FIG. 7.

At 541 in FIG. 5, to facilitate stateful load balancing at T1-SRs130-140, a hash table accessible by T1-DR 150/151 and T0-DR 162 may beupdated to include the following configuration information: (PRO=TCP,DIP=1.1.1.1 and DPN=80, GRP=(VTEP1, VTEP2)). This way, a packetrequiring the stateful load balancing service may be mapped or hashed toeither T1-SR1 130 or T1-SR2 140, such as by applying a hash function ontuple information specified by the packet. See 560 in FIG. 5 and FIGS.8-9.

Throughout the present disclosure, T0-SR 170 may be configured tooperate in an active-standby mode. Active T0-SR 170 is the defaulttier-0 logical SR for both T1-SR1 130 and T1-SR2 140. In the event of afailure, a failover may be triggered such that a standby T0-SR (notshown) takes over the active role from T0-SR 170.

Stateful DNS Forwarding Service

FIG. 6 is a flowchart of example detailed process 600 for a computersystem to perform packet handling for active-active stateful serviceinsertion in SDN environment 100. Example process 600 may include one ormore operations, functions, or actions illustrated by one or moreblocks, such as 605 to 696. The various blocks may be combined intofewer blocks, divided into additional blocks, and/or eliminateddepending on the desired implementation. The example in FIG. 6 will beexplained using FIG. 7, which is a schematic diagram illustrating firstexample 700 of active-active stateful service insertion in SDNenvironment 100. In particular, flows 701-704 may be referred to assession-sticky, full-proxy flows from south (i.e., host-A 210A withindata center) to north (i.e., outside of data center).

(a) Active T1-SR Selection

At 701 in FIG. 7, T1-DR 150 may detect a DNS request from VM1 131 via LS101. The DNS request is generated and sent to resolve a domain name(e.g., www.xyz.com) to an IP address (e.g., IP-xyz). The DNS request mayspecify (PRO=TCP, SIP=192.168.1.1, SPN=7589, DIP=11.11.11.11, DPN=53).SIP=192.168.1.1 is associated with source=VM1 131, which initiated theDNS request to communicate with a server (not shown) associated with theresolved IP address. DIP=11.11.11.11 is associated with a DNS forwarderimplemented by both first active T1-SR1 130 on EDGE1 110 and secondactive T1-SR2 140 on EDGE2 120. The DNS forwarder is configured to relayDNS packets between hosts 210A-B and DNS server 180 with IPaddress=8.8.8.8. See also 605 in FIG. 6.

In response to detecting the DNS request, T1-DR 150 may retrieveconfiguration information 540 in FIG. 5 based on content of the DNSrequest, such as (PRO=TCP, DIP=11.11.11.11 and DPN=53). Based on theconfiguration information, T1-DR 150 may identify VTEP group=(VTEP1,VTEP2) associated with service endpoint=DNS forwarder. See also 610 inFIG. 6. Next, T1-DR 150 may perform T1-SR selection, such as by applyinga hash function on 5-tuple information to obtain a hash value (k1) asfollows:

-   k1=hash(PRO=TCP, SIP=192.168.1.1, SPN=7589, DIP=11.11.11.11,    DPN=53).

Hash value (k1) may then be mapped to one member of VTEP group=(VTEP1,VTEP2), such as VTEP1 associated with first active T1-SR1 130 in theexample in FIG. 7. As such, first active T1-SR1 130 supported by EDGE1110 is selected. See also 620-625 in FIG. 6 and 710 in FIG. 7. Unlikeconventional approaches, examples of the present disclosure may beimplemented to select the same T1-SR1 130 for subsequent DNS request(s)having the same or related 5-tuple information, thereby maintainingconsistency and facilitating stateful service insertion.

At 702 in FIG. 7, T1-DR 150 may generate and send an encapsulated DNSrequest towards first active T1-SR1 130 on EDGE1 110. The encapsulatedDNS request may be generated by encapsulating the DNS request with anouter header specifying (OUTER_SIP=IP-A, OUTER_DIP=IP-VTEP1). Here,outer source VTEP IP address=IP-A is associated with VTEP-A 219A onhost-A 210A. The outer destination VTEP IP address=IP-VTEP1 isassociated with EDGE1 110 on which first active T1-SR1 130 isimplemented. See also 630 in FIG. 6.

At 703 in FIG. 7, EDGE1 110 may perform decapsulation and process theDNS request according to a stateful service. Acting as a DNS forwarder,T1-SR1 130 may update tuple information in the DNS request, such as to(PRO=TCP, SIP=99.99.99.99, SPN=6478, DIP=8.8.8.8, DPN=53). Note thatSIP=99.99.99.99 is used to interact with DNS server 180. Further, T1-SR1130 may associate the DNS request with a service flag indicatingstateful service connection. For example, service flag=TRUE may be setin an outer header (e.g., configured according to GENEVE, VXLAN, etc.)of the DNS request before forwarding it towards T0-SR 170. See also635-640 in FIG. 6.

(b) Stateful Service Connection

At 704 in FIG. 7, in response to the DNS request, T0-DR 160/162 mayidentify service flag=TRUE, which indicates a stateful serviceconnection. In this case, state information associated with the DNSrequest may be generated and stored in a connection table accessible byT0-DR 162. The state information may associate (a) tuple information ofthe DNS request with (b) VTEP information associated with first activeT1-SR1 130. See (PRO=TCP, SIP=99.99.99.99, SPN=6478, DIP=8.8.8.8,DPN=53, VTEP1) at 720 in FIG. 7. The DNS request is then forwardedtowards DNS server 180 via T0-SR 170. See 645. 650, 655 and 660 in FIG.6.

It should be noted that any suitable approach may be used to triggerstate information generation according to blocks 655-660. For example,if both T1-SR1 130 and T0-SR 170 are supported by the same EDGE1 110,another approach is for EDGE1 110 to generate and store stateinformation 720 in the connection table directly without having to setservice flag=TRUE and state information

At 705 in FIG. 7, DNS server 180 may respond with a DNS response thatresolves a domain name (i.e., query input) in the DNS request into an IPaddress (i.e., query output). The DNS response may specify (PRO=TCP,SIP=8.8.8.8, SPN=53, DIP=99.99.99.99, DPN=6478) and forwarded towardsT0-SR 170.

At 706 in FIG. 7, in response to detecting the DNS response from DNSserver 180, T0-DR 162 may retrieve matching state information specifying(PRO=TCP, SIP=99.99.99.99, SPN=6478, DIP=8.8.8.8, DPN=53, VTEP1) fromthe connection table. Based on associated VTEP information, T0-DR 162may forward the DNS response towards first active T1-SR1 130 using outerdestination IP address=IP-VTEP1, thereby maintaining connectionstickiness with T1-SR1 130. This should be contrasted againstconventional approach that receives the service request from firstactive T1-SR1 130 but forwards the service response towards the secondactive T1-SR2 140 because both are operating in an active-active mode.See 665, 670 and 675 in FIG. 6.

At 707 in FIG. 7, T1-SR1 130 may detect and process the DNS responseaccording to a stateful service. Acting as a DNS forwarder, T1-SR1 130may update tuple information in the DNS request to specify (PRO=TCP,SIP=11.11.11.11, SPN=53, DIP=192.168.1.1, DPN=7589) based on the DNSrequest (see 701/702) from VM1 131. In practice, T1-SR1 130 mayimplement a stateful service by storing information associated with theDNS request to facilitate subsequent processing of the DNS response. Byensuring the DNS response is forwarded to T1-SR1 130 instead of T1-SR2140 (which does not have any information of the DNS request), DNSforwarding may be performed on the return path.

To reach host-A 210A, EDGE1 110 (e.g., encapsulation handler) mayencapsulate the DNS response with an outer header that is addressed fromOUTER_SIP=IP-VTEP1 associated with EDGE1 130 and OUTER_DIP=IP-Aassociated with VTEP-A 219A on host-A 210A. See also 680-685 in FIG. 6.Depending on the desired implementation, T1-SR1 130 may associate theDNS response with a service flag indicating stateful service connection.The service flag may be set to cause T1-DR 150/152 to store stateinformation associated with the DNS response (not shown in FIG. 7 forsimplicity). See also 690. 695 and 696 in FIG. 6.

Stateful Non-Transparent Load Balancing

Examples of the present disclosure may be implemented to facilitatestateful service insertion in the form of non-transparent load balancingusing T1-SR1 130 and T1-SR2 140 operating in an active-active mode. Someexamples will be described using FIG. 8, which is a schematic diagramillustrating second example 800 of active-active stateful serviceinsertion in SDN environment 100. Here, a load balancer may operate in anon-transparent mode where IP address information of a client is hiddenfrom the backend servers, and vice versa. Alternatively, as will bediscussed using FIG. 9, a transparent mode (IP address information nothidden) may be used.

(a) Service Configuration

In the example in FIG. 8, service endpoint=load balancer may bereplicated on both T1-SR1 130 and T1-SR2 140 according to theconfiguration process in FIG. 5. The load balancer is associated with IPaddress=1.1.1.1 and capable of directing service requests to one ofmultiple backend servers associated with IP address range=192.168.3.0 to192.168.3.3. One backend server is VM3 133 (having IPaddress=192.168.3.1) on host-B 210B.

On the upper tier, T0-SR 170 may be supported by EDGE3 111 and capableof forwarding service requests from external server 180 to T1-SR1 130and T1-SR2 140. To facilitate active-active stateful service insertion,management entity 180/184 may configure T0 logical router=T0-DR 162 tostore service configuration information in hash table 810 in FIG. 8. Inparticular, the service configuration information may associate (a) theload balancer's (PRO=TCP, DIP=1.1.1.1 and DPN=80) with (b) VTEPgroup=(VTEP1, VTEP2) associated with respective T1-SR1 130 and T1-SR2140. This way, an ingress load balancing request may be mapped or hashedto one member of the VTEP group.

(b) Active T1-SR Selection

At 801 in FIG. 8, T0 logical routers T0-SR 170 and T0-DR 162 may detecta service request from external server 180. The service request mayspecify (PRO=TCP, SIP=10.0.0.3, SPN=1029, DIP=1.1.1.1, DPN=80). SourceIP address (SIP)=10.0.0.3 is associated with external server 180.Destination IP address (DIP)=1.1.1.1 is associated with anon-transparent load balancer implemented by both T1-SR1 130 and T1-SR2140. The load balancer is capable of distributing the service request toone of multiple backend servers, one of which being VM3 133 on host-B210B.

Based on content of the service request, T0-DR 162 may retrieve serviceconfiguration information from hash table 810 in FIG. 8, particularly(PRO=TCP, DIP=1.1.1.1 and DPN=53) associated with VTEP group=(VTEP1,VTEP2). Next, T0-DR 162 may then perform active T1-SR selection, such asby applying a hash function on 5-tuple information in the servicerequest as follows:

k2=hash(PRO=TCP, SIP=10.0.0.3, SPN=1029, DIP=1.1.1.1, DPN=80).

Hash value (k2) may then be mapped to one member of VTEP group=(VTEP1,VTEP2), such as VTEP2 associated with second active T1-SR2 140 in theexample in FIG. 8. As such, second active T1-SR2 140 supported by EDGE2120 is selected. Unlike conventional approaches, examples of the presentdisclosure may be implemented to select the same T1-SR2 140 for anysubsequent service request(s) having the same 5-tuple information,thereby maintaining consistency and facilitating stateful serviceinsertion.

At 802 in FIG. 8, T0-DR 162 may generate and send an encapsulatedservice request towards second active T1-SR2 140 on EDGE2 120. Theencapsulated service request may be generated by encapsulating theservice request with an outer header specifying (OUTER_SIP=IP-VTEP3,OUTER_DIP=IP-VTEP2). Here, outer source VTEP IP address=IP-VTEP3 isassociated with VTEP3 on EDGE3 111. The outer destination VTEP IPaddress=IP-VTEP2 is associated with EDGE2 120 on which second activeT1-SR2 140 is implemented. The outer header may be generated accordingto any suitable encapsulation protocol, such as GENEVE, VXLAN, etc.

At 803 in FIG. 8, in response to detecting the encapsulated servicerequest, EDGE2 120 may perform decapsulation and process the servicerequest accordingly. Acting as a non-transparent load balancer, T1-SR2140 may update tuple information in the service request to specify(PRO=TCP, SIP=1.1.1.1, SPN=2021, DIP=192.168.1.1, DPN=8000). Note thatSIP=1.1.1.1 is used to hide the IP address of external server 180 frombackend server VM3 133. Further, T1-SR2 140 may associate the servicerequest with a service flag indicating stateful service connection. Forexample, service flag=TRUE may be set in the outer header of the servicerequest before forwarding it towards host-B 210B.

(b) Stateful Service Connection

At 804 in FIG. 8, in response to the service request, host-B 210B mayidentify service flag=TRUE in the service request. In this case, tofacilitate active-active stateful service insertion, state informationassociated with the service request may be stored in connection table820 accessible by T0 logical router, such as T1-DR 151. The stateinformation may associate (a) tuple information of the service requestwith (b) VTEP information associated with second active T1-SR2 140. See(PRO=TCP, SIP=1.1.1.1, SPN=2021, DIP=192.168.3.1, DPN=8000, VTEP3) at820 in FIG. 8. The service request is then forwarded towards VM3 133 forprocessing.

At 805 in FIG. 8, VM3 133 may perform any necessary processing andrespond with a service response specifying (PRO=TCP, SIP=192.168.3.1,SPN=8000, DIP=1.1.1.1, DPN=2021).

At 806 in FIG. 8, in response to detecting the service response from VM3133 via LS 102, T1-DR 151 may retrieve matching state informationconfigured above. See 820 in FIG. 8. Based on associated VTEPinformation, T1-DR 151 may forward the service response towards secondactive T1-SR2 140 using outer destination IP address=IP-VTEP2, therebymaintaining connection consistency. Again, this should be contrastedagainst conventional approach that receives the service request fromsecond active T1-SR2 140 but forwards the service response towards firstactive T1-SR1 130 because both are operating in an active-active mode.

At 807 in FIG. 8, T1-SR2 140 may detect and process the service responseaccordingly. For example, tuple information in the service request maybe specified to specify (PRO=TCP, SIP=1.1.1.1, SPN=80, DIP=10.0.0.3,DPN=1029). To reach EDGE3 111, the service response may be encapsulatedwith an outer header that is addressed from OUTER_SIP=IP-VTEP2associated with EDGE2 140 and OUTER_DIP=IP-VTEP3 associated with EDGE3111. The encapsulated service request is then forwarded towards externalserver 180 via T0-SR 170.

Stateful Transparent Load Balancing

Examples of the present disclosure may be implemented to facilitatestateful service insertion for west-east (or east-west) traffic usingT1-SR1 130 and T1-SR2 140 operating in an active-active mode. Someexamples will be described using FIG. 9, which is a schematic diagramillustrating third example 900 of active-active stateful serviceinsertion in SDN environment 100. In the example in FIG. 9, loadbalancing client=VM1 131 with IP address=192.168.1.1 may be located on aclient network. Load balancing server=VM3 133 with IPaddress=192.168.3.1 may be located on a server network. A load balancersupported by both T1-SR1 130 and T1-SR2 140 may be deployed between theclient network and the server network.

(b) Active T1-SR Selection

At 901 in FIG. 9, T1-DR 150 may detect a service request from VM1 131.The service request may specify (PRO=TCP, SIP=192.168.1.1, SPN=1029,DIP=1.1.1.1, DPN=80). Source IP address (SIP)=192.168.1.1 is associatedwith VM1 131. Destination IP address (DIP)=1.1.1.1 is associated with aninline transparent load balancer implemented by both T1-SR1 130 andT1-SR2 140. The load balancer is capable of distributing the servicerequest to one of multiple backend servers, one of which being VM3 133on host-B 210B.

Based on content of the service request, T1-DR 151 may retrieve serviceconfiguration information from hash table 910 in FIG. 9, particularly(PRO=TCP, DIP=1.1.1.1 and DPN=53) associated with VTEP group=(VTEP1,VTEP2). Next, T1-DR 151 may then perform active T1-SR selection, such asby applying a hash function on 5-tuple information in the servicerequest as follows:

k3=hash(PRO=TCP, SIP=192.168.1.1, SPN=1029, DIP=1.1.1.1, DPN=80).

Hash value (k3) may then be mapped to one member of VTEP group=(VTEP1,VTEP2), such as VTEP2 associated with first active T1-SR1 130 in FIG. 9.As such, the service request may be mapped to first active T1-SR1 130supported by EDGE1 110. Note that the same T1-SR1 130 will be selectedto handle any subsequent service request(s) having the same 5-tupleinformation, thereby maintaining consistency and facilitating statefulservice insertion.

At 902 in FIG. 9, T1-DR 151 may generate and send an encapsulatedservice request towards first active T1-SR1 130. The encapsulatedservice request may be generated by encapsulating the service requestwith an outer header specifying (OUTER_SIP=IP-A, OUTER_DIP=IP-VTEP1).Here, outer source VTEP IP address=IP-A is associated with VTEP-A 219Aon host-A 210A. The outer destination VTEP IP address=IP-VTEP1 isassociated with EDGE1 110 on which first active T1-SR1 130 isimplemented. The outer header may be generated according to any suitableencapsulation protocol, such as GENEVE, VXLAN, etc.

At 903 in FIG. 9, in response to detecting the encapsulated servicerequest, EDGE1 110 may perform decapsulation and process the servicerequest accordingly. T1-SR1 130 may update destination information inthe service request to specify (PRO=TCP, SIP=192.168.1.1, SPN=1029,DIP=192.168.3.1, DPN=80). Acting as an inline transparent load balancer,it is not necessary to hide SIP=192.168.1.1 associated with VM1 131 fromVM3 133. Further, T1-SR1 130 may associate the service request with aservice flag indicating stateful service connection. For example,service flag=TRUE may be set in the outer header of the service requestbefore forwarding it towards host-B 210B.

(b) Stateful Service Connection

At 904 in FIG. 9, in response to the service request, host-B 210B mayidentify service flag=TRUE in the service request. In this case, tofacilitate active-active stateful service insertion, state informationassociated with the service request may be stored in connection table920 accessible by T1-DR 151. The state information may associate (a)tuple information of the service request with (b) VTEP informationassociated with first active T1-SR1 130. See (PRO=TCP, SIP=192.168.1.1,SPN=1029, DIP=192.168.3.1, DPN=80, VTEP1) at 920 in FIG. 9. The servicerequest is then forwarded towards VM3 133 for processing.

At 905 in FIG. 9, VM3 133 may perform any necessary processing andrespond with a service response specifying (PRO=TCP, SIP=192.168.3.1,SPN=8000, DIP=192.168.1.1, DPN=2021).

At 906 in FIG. 9, in response to detecting the service response from VM3133, T1-DR 151 may retrieve state information (see 920) configured basedon the service request. Based on VTEP information=VTEP1, T1-DR 151 mayforward the service response towards first active T1-SR1 130 using outerdestination IP address=IP-VTEP1, thereby maintaining connectionconsistency. This should be contrasted against conventional approachthat receives the service request from first active T1-SR1 130 butforwards the service response towards second active T2-SR2 140 becauseboth are operating in an active-active mode.

At 907 in FIG. 9, T1-SR1 130 may detect and process the service responseaccordingly. For example, tuple information in the service request maybe updated to specify (PRO=TCP, SIP=1.1.1.1, SPN=80, DIP=192.168.1.1,DPN=1029). To reach host-A 210A, the service response may beencapsulated with an outer header that is addressed fromOUTER_SIP=IP-VTEP1 associated with EDGE1 130 and OUTER_DIP=IP-Aassociated with VTEP-A 219A on host-A 210A. Further, T1-SR1 130 mayassociate the service response with a service flag indicating statefulservice connection, such as by setting service flag=TRUE in the outerheader before forwarding the encapsulated service response towardshost-B 210B.

At 908 in FIG. 9, in response to the service request, host-A 210A mayidentify service flag=TRUE in the service request. In this case, tofacilitate active-active stateful service insertion, state informationassociated with the service request may be stored in connection table930 accessible by T1-DR 150 on host-A 210A. The state information mayassociate (a) tuple information of the service request with (b) VTEPinformation associated with first active T1-SR1 130. See (PRO=TCP,SIP=1.1.1.1, SPN=80, DIP=192.168.1.1, DPN=1029, VTEP1) at 930 in FIG. 9.

This way, at 909 in FIG. 9, any subsequent service request with the sametuple information will be mapped to, and forwarded towards, first activeT1-SR1 130 reachable via VTEP1. In particular, based on stateinformation 930, service request specifying (PRO=TCP, SIP=192.168.1.1,SPN=1029, DIP=1.1.1.1, DPN=80) may be mapped to VTEP1. In this case, itis not necessary to refer to configuration information 910 in the hashtable (i.e., skipped). In practice, connection table lookup may beimplemented more efficiently compared to a hash calculation. In thiscase, a higher lookup priority may be assigned to the connection tablestoring state information may be assigned with compared to the hashtable storing configuration information. See also block 615 withasterisk (*) in FIG. 6.

Flow Type Analysis

It should be understood that examples of the present disclosure may beimplemented for various flow types, and not limited to the statefulservices discussed using FIGS. 5 to 9. Some example flow types will bedescribed using FIG. 10, which is a schematic diagram illustratingexample flow types for which active-active stateful service insertionmay be performed. In general, an analysis of the flow types is useful toassess whether session stickiness may be implemented.

(a) Notations

From the perspective of T1-SR 130/140, an “inbound” flow may refer to aflow in which the DIP=service endpoint address (e.g., 11.11.11.11)supported by T1-SR 130/140. An “outbound” flow may refer to a flow inwhich the SIP=service endpoint address (e.g., 11.11.11.11) supported byT1-SR 130/140. A “pass-through” flow may refer to a flow that travelsthrough T1-SR 130/140 but neither its SIP or DIP is set to the serviceendpoint address.

The terms “inside” and “outside” may be used to indicate whether a flowis traveling from a south side (e.g., hosts 210A-B) or a north side(e.g., external server 180) of T1-SR 130/140. In particularly, an“inside inbound” flow may refer to an inbound flow traveling from asouth side of T1-SR 130/140. An “outside inbound” flow may refer to aninbound flow traveling from a north side of T1-SR 130/140. An “insidepass-through” flow may refer to a pass-through flow traveling throughT1-SR 130/140 from a south side. An “outside pass-through” flow mayrefer to a pass-through flow traveling through T1-SR 130/140 from anorth side.

A “session-sticky” flow may refer to an inside/outside request flow andcorresponding outside/inside response flow that is consistently directedtowards the same T1-SR. A “full-proxy” flow may refer generally to aflow that includes (1) an inbound flow and (2) an outbound flow. A“half-proxy” flow may refer generally to a flow that includes (1) aninbound or outbound flow and (2) a passthrough flow. For example, aninside full-proxy flow may be referred to as a session-sticky flow when(1) the request flow is directed to a particular T1-SR and (2) thecorresponding response flow is directed towards the same T1-SR.

(b) Flow Types

Referring now to FIG. 10, at 1001, an “inside full-proxy” flow may referto a flow that travels towards T1-SR 130/140 from a south side andincludes (1) an inbound flow (with DIP=service endpoint address) and (2)an outbound flow (with SIP=service endpoint address). Using examples ofthe present disclosure, sticky sessions may be implemented for insidefull-proxy flows to provide active-active stateful services such as DNSforwarding (see FIG. 7) and inline non-transparent load balancing. Inthis case, an active-standby mode may be used for T0 logical router.

At 1002 in FIG. 10, an “outside full-proxy” flow may refer to a flowthat travels towards T1-SR 130/140 from a north side and includes (1) aninbound flow and (2) an outbound flow. Using examples of the presentdisclosure, sticky sessions may be implemented for outside full-proxyflows to provide active-active stateful services such as non-transparentload balancing (see FIG. 8), etc.

At 1003 in FIG. 10, an “inside outbound half-proxy” flow may refer to aflow traveling towards T1-SR 130/140 from a south side and includes (1)a pass-through flow and (2) an outbound flow. Using examples of thepresent disclosure, half-sticky sessions may be implemented for insideoutbound half-proxy flows to provide active-active stateful servicessuch as SNAT, etc. In this case, there may be limitations, such as usingan active-standby mode for T0 logical router, request flow may notensure the transaction due to the half-sticky session, etc. Here, sincethe inside outbound half-proxy includes (1) a pass-through flow and (2)an outbound flow, it is possible for a transport node may send outpackets via a random T1-SR before state information is configured.

At 1004 in FIG. 10, an “outside outbound half-proxy” flow may refer to aflow traveling towards T1-SR 130/140 from a north side and includes (1)a pass-through flow and (2) an outbound flow. Using examples of thepresent disclosure, half-sticky sessions may be implemented for outsideoutbound half-proxy flows to provide active-active stateful servicessuch as SNAT, etc. In this case, the request flow may not ensure thetransaction.

At 1005 in FIG. 10, an “inside inbound half-proxy” flow may refer to aflow traveling towards T1-SR 130/140 from a south side and includes (1)an inbound flow and (2) a pass-through flow. Using examples of thepresent disclosure, sticky sessions may be implemented for insideinbound half-proxy flows to provide active-active stateful services suchas DNAT, inline transparent load balancing, etc. An active-standby modemay be used for T0 logical router.

At 1006 in FIG. 10, an “outside inbound half-proxy” flow may refer to aflow traveling towards T1-SR 130/140 from a north side and includes (1)an inbound flow and (2) a pass-through flow. Using examples of thepresent disclosure, sticky sessions may be implemented for outsideinbound half-proxy flows to provide active-active stateful services suchas DNAT, inline transparent load balancing, etc.

At 1007 in FIG. 10, a “west-east full-proxy” flow may refer to a flowthat travels towards T1-SR 130/140 from a south side and includes (1) aninside inbound flow and (2) an inside outbound flow. Using examples ofthe present disclosure, sticky sessions may be implemented for west-eastfull-proxy flows to provide active-active stateful services such asDNAT, inline transparent load balancing, etc.

At 1008 in FIG. 10, an “west-east outbound half-proxy” flow may refer toa flow traveling towards T1-SR 130/140 from a south side and includes(1) an inside pass-through flow and (2) an inside outbound flow. Usingexamples of the present disclosure, half-sticky sessions may beimplemented for west-east outbound half-proxy flows to provideactive-active stateful services such as SNAT, etc. In this case, therequest flow may not ensure the transaction.

At 1009 in FIG. 10, an “west-east inbound half-proxy” flow may refer toa flow traveling towards T1-SR 130/140 from a south side and includes(1) an inside inbound flow and (2) an inside pass-through flow. Usingexamples of the present disclosure, sticky sessions may be implementedfor west-east inbound half-proxy flows to provide active-active statefulservices such as DNAT, inline transparent load balancing, etc.

Container Implementation

Although discussed using VMs 131-134, it should be understood thatpacket handling for active-active stateful service insertion may beperformed for other virtualized computing instances, such as containers,etc. The term “container” (also known as “container instance”) is usedgenerally to describe an application that is encapsulated with all itsdependencies (e.g., binaries, libraries, etc.). For example, multiplecontainers may be executed as isolated processes inside VM1 131, where adifferent VNIC is configured for each container. Each container is“OS-less”, meaning that it does not include any OS that could weigh 11 sof Gigabytes (GB). This makes containers more lightweight, portable,efficient and suitable for delivery into an isolated OS environment.Running containers inside a VM (known as “containers-on-virtual-machine”approach) not only leverages the benefits of container technologies butalso that of virtualization technologies. Using the examples in thepresent disclosure, packet handling for active-active stateful serviceinsertion may be performed to facilitate secure communication amongcontainers located at geographically dispersed sites in SDN environment100.

Computer System

The above examples can be implemented by hardware (including hardwarelogic circuitry), software or firmware or a combination thereof. Theabove examples may be implemented by any suitable computing device,computer system, etc. The computer system may include processor(s),memory unit(s) and physical NIC(s) that may communicate with each othervia a communication bus, etc. The computer system may include anon-transitory computer-readable medium having stored thereoninstructions or program code that, when executed by the processor, causethe processor to perform processes described herein with reference toFIG. 1 to FIG. 10. For example, a computer system capable of acting ashost 210A/210B or EDGE 110/120/111 may be deployed in SDN environment100 to perform examples of the present disclosure.

The techniques introduced above can be implemented in special-purposehardwired circuitry, in software and/or firmware in conjunction withprogrammable circuitry, or in a combination thereof. Special-purposehardwired circuitry may be in the form of, for example, one or moreapplication-specific integrated circuits (ASICs), programmable logicdevices (PLDs), field-programmable gate arrays (FPGAs), and others. Theterm ‘processor’ is to be interpreted broadly to include a processingunit, ASIC, logic unit, or programmable gate array etc.

The foregoing detailed description has set forth various embodiments ofthe devices and/or processes via the use of block diagrams, flowcharts,and/or examples. Insofar as such block diagrams, flowcharts, and/orexamples contain one or more functions and/or operations, it will beunderstood by those within the art that each function and/or operationwithin such block diagrams, flowcharts, or examples can be implemented,individually and/or collectively, by a wide range of hardware, software,firmware, or any combination thereof.

Those skilled in the art will recognize that some aspects of theembodiments disclosed herein, in whole or in part, can be equivalentlyimplemented in integrated circuits, as one or more computer programsrunning on one or more computers (e.g., as one or more programs runningon one or more computing systems), as one or more programs running onone or more processors (e.g., as one or more programs running on one ormore microprocessors), as firmware, or as virtually any combinationthereof, and that designing the circuitry and/or writing the code forthe software and or firmware would be well within the skill of one ofskill in the art in light of this disclosure.

Software and/or to implement the techniques introduced here may bestored on a non-transitory computer-readable storage medium and may beexecuted by one or more general-purpose or special-purpose programmablemicroprocessors. A “computer-readable storage medium”, as the term isused herein, includes any mechanism that provides (i.e., stores and/ortransmits) information in a form accessible by a machine (e.g., acomputer, network device, personal digital assistant (PDA), mobiledevice, manufacturing tool, any device with a set of one or moreprocessors, etc.). A computer-readable storage medium may includerecordable/non recordable media (e.g., read-only memory (ROM), randomaccess memory (RAM), magnetic disk or optical storage media, flashmemory devices, etc.).

The drawings are only illustrations of an example, wherein the units orprocedure shown in the drawings are not necessarily essential forimplementing the present disclosure. Those skilled in the art willunderstand that the units in the device in the examples can be arrangedin the device in the examples as described or can be alternativelylocated in one or more devices different from that in the examples. Theunits in the examples described can be combined into one module orfurther divided into a plurality of sub-units.

We claim:
 1. A method for a computer system to perform packet handling for active-active stateful service insertion, wherein the method comprises: detecting a packet that is addressed from a source address to a service endpoint address; based on configuration information associated with the service endpoint address, identifying a first active logical service router (SR) and a second active logical SR that are both associated with the service endpoint address and configured to operate in an active-active mode; selecting the first active logical SR over the second active logical SR by mapping tuple information specified by the packet to the first active logical SR, wherein the tuple information includes the source address and the service endpoint address; generating an encapsulated packet by encapsulating the packet with an outer header that is addressed to an outer destination address associated with the first active logical SR; and sending the encapsulated packet towards the first active logical SR for processing according to a stateful service.
 2. The method of claim 1, wherein selecting the first active logical SR comprises: mapping the tuple information to the first active logical SR by applying a hash function on the tuple information that includes a service protocol, the source endpoint address, a source port number, the service endpoint address and a destination port number.
 3. The method of claim 2, wherein the method further comprises: in response to detecting a subsequent packet specifying the same tuple information as the packet, selecting the first active logical SR over the second active logical SR by applying the hash function on the same tuple information.
 4. The method of claim 1, wherein identifying the first active logical SR and the second active logical SR comprises: retrieving the configuration information that associates the service endpoint address with a virtual tunnel endpoint (VTEP) group that includes (a) a first VTEP address, being the outer destination address, associated with the first active logical SR and (b) a second VTEP address associated with the second active logical SR, wherein the configuration information is received from a management entity.
 5. The method of claim 1, wherein selecting the first active logical SR comprises: selecting, by a tier-1 logical distributed router (T1-DR) supported by the computer system, the first active logical SR in the form of a tier-1 logical service router (T1-SR) supported by an edge associated with the outer destination address.
 6. The method of claim 1, wherein selecting the first active logical SR comprises: selecting, by a tier-0 logical distributed router (T0-DR) supported by the computer system, the first active logical SR in the form of a first tier-1 logical service router (T1-SR) supported by an edge associated with the outer destination address.
 7. The method of claim 1, wherein detecting the packet comprises: detecting the packet requesting for one of the following services replicated on the first active logical SR and the second active logical SR: domain name system (DNS) forwarding, load balancing, source network address translation (SNAT) and destination network address translation (DNAT).
 8. A non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a computer system, cause the processor to perform a method of packet handling for active-active stateful service insertion, wherein the method comprises: detecting a packet that is addressed from a source address to a service endpoint address; based on configuration information associated with the service endpoint address, identifying a first active logical service router (SR) and a second active logical SR that are both associated with the service endpoint address and configured to operate in an active-active mode; selecting the first active logical SR over the second active logical SR by mapping tuple information specified by the packet to the first active logical SR, wherein the tuple information includes the source address and the service endpoint address; generating an encapsulated packet by encapsulating the packet with an outer header that is addressed to an outer destination address associated with the first active logical SR; and sending the encapsulated packet towards the first active logical SR for processing according to a stateful service.
 9. The non-transitory computer-readable storage medium of claim 8, wherein selecting the first active logical SR comprises: mapping the tuple information to the first active logical SR by applying a hash function on the tuple information that includes a service protocol, the source endpoint address, a source port number, the service endpoint address and a destination port number.
 10. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises: in response to detecting a subsequent packet specifying the same tuple information as the packet, selecting the first active logical SR over the second active logical SR by applying the hash function on the same tuple information.
 11. The non-transitory computer-readable storage medium of claim 8, wherein identifying the first active logical SR and the second active logical SR comprises: retrieving the configuration information that associates the service endpoint address with a virtual tunnel endpoint (VTEP) group that includes (a) a first VTEP address, being the outer destination address, associated with the first active logical SR and (b) a second VTEP address associated with the second active logical SR, wherein the configuration information is received from a management entity.
 12. The non-transitory computer-readable storage medium of claim 8, wherein selecting the first active logical SR comprises: selecting, by a tier-1 logical distributed router (T1-DR) supported by the computer system, the first active logical SR in the form of a tier-1 logical service router (T1-SR) supported by an edge associated with the outer destination address.
 13. The non-transitory computer-readable storage medium of claim 8, wherein selecting the first active logical SR comprises: selecting, by a tier-0 logical distributed router (T0-DR) supported by the computer system, the first active logical SR in the form of a first tier-1 logical service router (T1-SR) supported by an edge associated with the outer destination address.
 14. The non-transitory computer-readable storage medium of claim 8, wherein detecting the packet comprises: detecting the packet requesting for one of the following services replicated on the first active logical SR and the second active logical SR: domain name system (DNS) forwarding, load balancing, source network address translation (SNAT) and destination network address translation (DNAT).
 15. A computer system, comprising: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to: detect a packet that is addressed from a source address to a service endpoint address; based on configuration information associated with the service endpoint address, identify a first active logical service router (SR) and a second active logical SR that are both associated with the service endpoint address and configured to operate in an active-active mode; select the first active logical SR over the second active logical SR by mapping tuple information specified by the packet to the first active logical SR, wherein the tuple information includes the source address and the service endpoint address; generate an encapsulated packet by encapsulating the packet with an outer header that is addressed to an outer destination address associated with the first active logical SR; and send the encapsulated packet towards the first active logical SR for processing according to a stateful service.
 16. The computer system of claim 15, wherein the instructions for selecting the first active logical SR cause the processor to: map the tuple information to the first active logical SR by applying a hash function on the tuple information that includes a service protocol, the source endpoint address, a source port number, the service endpoint address and a destination port number.
 17. The computer system of claim 16, wherein the instructions further cause the processor to: in response to detecting a subsequent packet specifying the same tuple information as the packet, select the first active logical SR over the second active logical SR by applying the hash function on the same tuple information.
 18. The computer system of claim 15, wherein the instructions for identifying the first active logical SR and the second active logical SR cause the processor to: retrieve the configuration information that associates the service endpoint address with a virtual tunnel endpoint (VTEP) group that includes (a) a first VTEP address, being the outer destination address, associated with the first active logical SR and (b) a second VTEP address associated with the second active logical SR, wherein the configuration information is received from a management entity.
 19. The computer system of claim 15, wherein the instructions for selecting the first active logical SR cause the processor to: select, by a tier-1 logical distributed router (T1-DR) supported by the computer system, the first active logical SR in the form of a tier-1 logical service router (T1-SR) supported by an edge associated with the outer destination address.
 20. The computer system of claim 15, wherein the instructions for selecting the first active logical SR cause the processor to: select, by a tier-0 logical distributed router (T0-DR) supported by the computer system, the first active logical SR in the form of a first tier-1 logical service router (T1-SR) supported by an edge associated with the outer destination address.
 21. The computer system of claim 15, wherein the instructions for detecting the packet cause the processor to: detect the packet requesting for one of the following services replicated on the first active logical SR and the second active logical SR: domain name system (DNS) forwarding, load balancing, source network address translation (SNAT) and destination network address translation (DNAT). 